There are lots of tools out there for watching logs and alerting on specific
patterns.
I believe that logwatch just looks at the logs a line at a time, not trying to
keep context
Simple Event correlator can match on individual lines, but can also keep context
so that it can alert on combinations of logs, too many logs of a specific type
in a given period, etc.
The problem with all of these tools is that people write their own rulesets for
them, but there's not a lot of successful work gathering the rules that people
write into good examples that others can use. I think the problem is that most
people don't think their rules are good enough to be worth sharing.
rrdtool includes capabilities that can auto-detect your usage patterns and alert
you when actual usage is too far from what's expected.
https://www.usenix.org/legacy/publications/library/proceedings/lisa2000/full_papers/brutlag/brutlag_html/index.html
David Lang
On Sat, 22 Aug 2015, Graham Dunn wrote:
The Linux logwatch package operates on a "these patterns are okay, these
patterns are bad, anything else is unmatched, here's those ones" basis.
There are many modules for different daemons. It might be a good starting
point.
On Sat, Aug 22, 2015 at 10:16 AM Edward Ned Harvey (lopser) <
lop...@nedharvey.com> wrote:
I am surprised nobody had a "just use this product" or "just google for
this search term" response -
Let me describe a little more what I'm looking for -
So you create a VM, and turn on apache. Of course it has a default config
file, including a default number of MPM preforks and threads and so on.
These things should be tweaked based on the memory your website requires
per thread, and the amount of ram you have, and number and type of
processors. If you have the numbers too small, and you get a lot of
traffic, then a bunch of users will get "page cannot be displayed" and you
won't know about it, unless you know what to search for in your logs. If
you set the numbers too high, you can become processor or memory starved.
This might cause terrible response times or OOM errors to appear in logs,
which again, result in some percentage of users getting "page cannot be
displayed," and you don't know about it unless you know what to search for
in logs.
We already have monitoring and alerting systems that tell us if CPU load
thresholds get exceeded, or memory thresholds exceeded. We have systems
that periodically (every minute) download pages from the server, and alert
us if they don't get the expected results.
So I'm confident we'll be alerted if the server(s) go down completely, or
become CPU or memory starved. I'm not sure if we're monitoring response
time - I can look into it - But if we've configured the MPM resources too
small (or anything else) we'll have error messages appearing in the logs,
and go undetected. Meanwhile users will be affected, and we're not alerted.
In Microsoft, the event viewer filters all the critical and failure alerts
for you. Apache generates strings in the log file such as "Fatal error: Out
of memory (allocated 786432) (tried to allocate 24576 bytes)"
I am certain somebody already itemizes all the common or important error
messages that could appear in logs, to separate them from all the noise.
Virtually every line in the access_log and error_log are non-fatal,
non-important, just saying that some requested file doesn't exist, or does
exist, or stuff like that.
There's got to be a good way to search all the logs, regularly, to find
messages that need attention.
The same idea applies to apache, mysql, syslog, I don't know what else.
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
